Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Measuring effectiveness of competence training
Answer:
The clause 7.2 c) requires organizations to take actions so their employees can acquire necessary competence and than to evaluate those actions.
Actions to acquire necessary competence can be hiring some outsource trainer or consultant to deliver necessary training or to appoint somebody from the organization to conduct the training to the employees with insufficient level of competence.
Evaluating effectiveness of these actions means that you need to determine whether the actions delivered what you expected form them, or in simple words, did the employees acquire necessary competence. The effectiveness can be determined by testing the employees to see if they now have the competence. The testing can be in form of written exam or they can be evaluated by their superior on the work place.
For more information, see:
- How to ensure competence and awareness in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-ensure-competence-and-awareness-in-iso-90012015/ -
Exclusion of Design and Development
1. Clause 8 - 08 Procedure for Design and Development this will be excluded ... as we are not designing anything - right? Answer: Yes, the clause 8.3 Design and development of products and services can be excluded if the organization does not perform design and development process, all you need to do is to write justification for the exclusion in the document called Scope of the Quality Management System. For more information about exclusions in ISO 9001:2015, see this article: - What clauses can be excluded in ISO 9001:2015? https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/ -
Transition to ISO 2015 version and document labeling
I noticed that most requirements are similar, there is a correspondence between ISO 2008 version sections/ paragraph and 2015 ones, however they are numbered completely different.
Would we have to change the numbers of all our Procedures/ Forms in order to correspond to the paragraphs of the new standard version, or it would be sufficient to create a correspondence chart, as an easy way to retrieve a required document for compliance? I understand that the re-certification audit will be done according to the new standard version.
Answer:
The best way to approach the transition is to first identify the requirements of the new version that you already met with your documentation and processes and than to start adapting your processes and documents to the new version of the standard.
Most of the requirements are similar, but the clause numbers are c hanged and some new requirements are added. As far as procedures/forms numbers are concerned, you don't have to change it sine the standard does not prescribe how your going to label your documents and numbering system. You only need to change the reference to clauses inside the procedures so they are aligned with the new version and new clause numbers.
The re-certification can be done according to the new version but only if you choose to. You can do it according to the previous version of the standard until September 2018.
For more information see:
- How to make the transition from ISO 9001:2008 revision to the 2015 revision https://advisera.com/9001academy/blog/2015/10/06/how-to-make-the-transition-from-iso-90012008-revision-to-the-2015-revision/
- ISO 9001:2015 – The benefits of early implementation https://advisera.com/9001academy/blog/2015/09/29/iso-90012015-the-benefits-of-early-implementation/ -
Free online courses
Answer:
Yes, we are offering free online courses for ISO 9001:2015, ISO 14001:2015 and ISO 27001:2013.
There is two types of courses:
- Foundation course that explains requirements of the standard and it takes one week if you take two hours a day to finish it.
- Internal Auditor course that includes the Foundation course plus techniques for conducting internal audit, and it takes two weeks if you go with the same pace.
Here is the link to our courses: https://advisera.com/training/ -
Implementing ISO 9001:2015 over ISO 27001
Answer:
Having ISO 27001:2013 already in place makes implementation of ISO 9001:2015 much easier than starting from scratch. As you probably know, new version of ISO 9001 has the same structure as the latest version of ISO 27001 and this also means that you can use the same processes for common requirements of both standards.
First, identify the common requirements and processes, like determining context of the organization, resource management, internal audit, management review, etc. Since you already have this in lace according to ISO 27001, you only need to make adjustments to comply with ISO 9001.
Next step is to meet requirements specific for ISO 9001, like writing quality policy, objectives, addressing risks and opportunities, determining criteria for processes, measuring customer satisfaction, etc.
For more information see these materials:
- ISO 9001 Implementation Diagram https://advisera.com/9001academy/free-downloads/
- How to implement integr ated management systems https://advisera.com/blog/2015/10/05/how-to-implement-integrated-management-systems/
There is also a free webinar o this topic:
- Free webinar – ISO 27001 implementation: How to make it easier using ISO 9001 https://advisera.com/9001academy/webinar/iso-27001-implementation-how-to-make-it-easier-using-iso-9001-free-webinar-on-demand/ -
What is ISO 27001?
Methodology for ISMS, framework, process, etc. I do not know there are these priorities.
When I Management System has been created, the first process is created, and the second methodology, know that the third framework is created.
What is really in their relationships, or what not wonder.
Answer:
I am sorry but I am not sure if I have understood your question, but for the ISO 27001 is not relevant the relationships that you have mentioned. The central idea of an ISMS based on ISO 27001 is the risk management, so this article can be interesting for you “The basic logic of ISO 27001: How does information security work?” : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
And this article can be also specially interesting for you “What is ISO 27001?” : https://advisera.com/27001academy/what-is-iso-27001/
By the way, for the implementation of a project of this type, this article can be also interesting for you “ISO 27001 implementation checklist”: https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
And maybe our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Referencing to security controls in policies and procedures
Answer:
It is true that we did not reference to particular controls within the text of each security rule, because this is not required by ISO 27001 - sometimes one security rule covers several controls, and sometimes the same control is covered within several security rules, so referencing to the particular control in the text of each security rule would be rather difficult. -
Clause 9.1 - measurement in ISO 27001 toolkit
Answer:
In our documentation toolkit there are basically two levels of measuring: first is on the level of the documents - in the last section of most of our documents, you'll find a sentence: "When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:..." and then a couple of items to be measured.
The second level is for the controls - in the Statement of Applicability you should set the objectives for each control, and then you can measure up to which level those objectives have been fulfilled.
These two levels are applicable for smaller and mid-size companies - of course, for larger companies you might develop a more precise and more comprehensive systems like KPIs or Balanced Scorecards.
These materials will also help you:
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
- ISO 27001 and ISO 27004: How to measure the effectiveness of information security? https://advisera.com/27001academy/webinar/iso-27001-iso-27004-measure-effectiveness-information-security-free-webinar/
- ISO 27001 Foundations Course: https://advisera.com/training/iso-27001-foundations-course/ -
Using ISO 27001 & ISO 22301 Toolkit for ISO 22301 implementation
Answer:
If you purchased the ISO 22301 Documentation Toolkit, then there are no information security documents in it. On the other hand, if you purchased the ISO 27001 & ISO 22301 Premium Documentation Toolkit, and want to implement ISO 22301 only, then you should do the following:
- Implement documents from folders Procedure for document and record control, Procedure for identification of requirements, and Risk assessment and treatment
- Then move on to core business continuity documents that you'll find in the folder A.17 Business Continuity
- At last, you should implement documents from folders Training and Awareness Plan, Internal Audit Procedure, Management Review Minutes and Procedure for Corrective Action
Risk assessment methodology, with focus on asset-based risk assessme nt is completely applicable to business continuity as well; in the Risk assessment table you'll find catalogs of threats and vulnerabilities where many of those are applicable to business continuity. This article will also help you: Can ISO 27001 risk assessment be used for ISO 22301? https://advisera.com/27001academy/blog/2013/03/11/can-iso-27001-risk-assessment-be-used-for-iso-22301/
By the way, in the "List of documents" that is included in the toolkit, you can see which documents are mandatory for ISO 22301 and which for ISO 27001.